KuppingerCole's Advisory stands out due to our regular communication with vendors and key clients, providing us with in-depth insight into the issues and knowledge required to address real-world challenges.
Unlock the power of industry-leading insights and expertise. Gain access to our extensive knowledge base, vibrant community, and tailored analyst sessions—all designed to keep you at the forefront of identity security.
Get instant access to our complete research library.
Access essential knowledge at your fingertips with KuppingerCole's extensive resources. From in-depth reports to concise one-pagers, leverage our complete security library to inform strategy and drive innovation.
Get instant access to our complete research library.
Gain access to comprehensive resources, personalized analyst consultations, and exclusive events – all designed to enhance your decision-making capabilities and industry connections.
Get instant access to our complete research library.
Gain a true partner to drive transformative initiatives. Access comprehensive resources, tailored expert guidance, and networking opportunities.
Get instant access to our complete research library.
Optimize your decision-making process with the most comprehensive and up-to-date market data available.
Compare solution offerings and follow predefined best practices or adapt them to the individual requirements of your company.
Configure your individual requirements to discover the ideal solution for your business.
Meet our team of analysts and advisors who are highly skilled and experienced professionals dedicated to helping you make informed decisions and achieve your goals.
Meet our business team committed to helping you achieve success. We understand that running a business can be challenging, but with the right team in your corner, anything is possible.
While eIDAS 2.0 is still under legislative process, closing to the end, the European Commission prepares the framework for the EUDI Wallet reference implementation, and standardization bodies are working on developing new technical standards.
There is a real need for updated information on all efforts around eIDAS 2.0, as the implementing deadlines are very tight.
The session will shed light on latest developments and impact on the market.
While eIDAS 2.0 is still under legislative process, closing to the end, the European Commission prepares the framework for the EUDI Wallet reference implementation, and standardization bodies are working on developing new technical standards.
There is a real need for updated information on all efforts around eIDAS 2.0, as the implementing deadlines are very tight.
The session will shed light on latest developments and impact on the market.
Hello everybody. Thank you Andy, for introduction.
Indeed, I've been in Yida space since the very early stage in 2012, and let's see what else we can talk about or what else we are preparing. This is for you Andy. I've secretly worked for the nice user experience of the UDI wallet, so this is how the wallet should look like in the end, after we finish with the regulation, with the standards, with implementation, large scale pilots and everything around, and hopefully the users will adopt the, the wallet and digital identity. They should trust the providers, they should trust the services.
Otherwise will have a lot of nice stuffs and technology, but nobody will adopt them. So where are we coming from? The proposal was first published in June, 2021, then entered into, into revision by the parliament and the council. They have worked in parallel. Each of the policy maker, each of the institution published different updates and amendments and now we are in the trial log phase. The final closing to the final stage where is supposed to have by the end of this year, the final version entering into force.
We have seen the implementation roadmap that the previous colleagues talk about with the parallel tracks, legislative process member state implementation, reference wallets, development, large scale pilots and toolbox expert group. So here we have a depiction of the interactions between the large scale pilots, the wallet prototype development, the toolbox i f development as Paulo. There was a said before is a living document that is updated based on the feedback provided by the developer or and implementers of large scale pilots. Trial log started in March, so we are very close.
They, they are discussing, so the representatives from from the commission, from the European parliament and the Council of European Union are discussing article by article and they should reach an agreement for each and every article for the final version. This is, these are the pictures from the, from the first trial log. Here we have the actors, the overview of the ax actors of this E U D I wallet ecosystem.
Of course, at the center we have the user because the AI does too, is shifting the attention and putting the user at the center. The user should be in control of its data because we cannot talk about possession of the data in the digital world. We are talking about control of the data. The user should be in control of, to whom is sharing his data for how long, should give a selective consent and also should be able to withdraw its consent for sharing the data.
And all this ecosystem is built by trust service providers that are relying and developing their services upon sources, authentic sources or different type of data sources relevant for the services they are providing. We have the governance, the supervisory bodies that are supervising the providers, qualified trust service providers and non-qualified trust service providers. We have trust, this trust listed that the previous colleagues talk about. What I wanted to raise your attention today on is on a trust services. What a trust service means, what a trust service provider is.
I dunno how many of you are familiar with the concept of trust service and the governance of fi IDAs? Okay, thank you. So this is from the initial proposal of the two. The trust service means an electronic service normally provided against payment, which consists of the creation, verification and validation of electronic signatures, electronic seals, electronic timestamps, electronic registered delivery service, electronic attestation of attributes and certificates related to those services. So we have here the definition, which are those trust services with blue.
We have the trust services defined by first version of IDAs regulation, so electronic signatures, electronic seals, electronic timestamps, registered delivery services, and SSL certificates for a website authentication. And with yellow we have the new services defined by EI dash two, we have the electronic identity in a wallet. Online services for authentication, electronic attestation of attributes, validation and preservation plus archiving services and electronic ledgers.
So what, what is saying yida to how do you know if you are a trust service provider in the, within the new context of IDAs? Because we, we can imagine we have a lot of new electronic attestation of attributes that could be provided. So this is really an endless, we have endless possibilities for, for new services. But the question is, am I a trust service provider? Should I be, should I abide by certain rules? Should I implement specific standards? How do I know if I'm a trust service provider or not?
And we have very clear stated by the regulation, the and why if I'm a trust service provider, should I abide to e IDAs two? Because it is stated in the first article, this regulation aims at ensuring the proper functioning of the internal market and providing an adequate level of security of electronic identification means and trust services. Then we have the regulation lays down rules for trust services, then establishes a legal framework for electronic signatures and all the other trust services that I presented before.
So again, the second article, the scope of the regulation. This regulation applies to electronic identification schemes that have been notified by a member states and to trust service providers that are establishing the union. This regulation does not apply to the provision of trust services that are used exclusively within enclosed systems resulting from national law or from agreements between a defined set of participants. So if you want to know if you are a trust service provider under e i dash two or not, you should answer to these simple questions.
Am I providing a service that is for a closed group? So has a legal effect only between the partners that are agreeing upon those services usage or not. So only trust services provided to the public having effect on third parties should meet the requirement laid down in the regulation. What are the standards in support of yay IDAs too, because Andy said before, who is working on the, on the standards and probably most of you have this question in mind.
Well, there are three European standardization bodies in support providing standards, technical standards in support of European regulations. European Telecommunications Standard Institute is one of them and is working currently. We have first of all the TS Etsy standard TS 1 19 46 1 1 policy and security requirements for trust service components providing identity proofing of trust services subject.
This is a standard already published and available on the market, but now is under revision in order to be updated according to EI to regulation because we have some changes within the, the regulation regarding the identity proofing of the users in order to be able to issue qualified electronic signature, qualified electronic seals, electronic attestation of attributes. So that standard is under revision right now. Then we have three new work items, new drafts.
One is wallet interfaces for trust services and signing the, the other one is policy and security requirements for electronic attestation of attributes. So if you want to issue electronic attestation of attributes, you should comply with this technical standard. And then the, the last one profiles for electronic attestation of, of attributes. So we will deliver a set of profiles that are proper for the implementation and deployment of electronic attestation of attributes as a a trust service. And with that, I think I'm good for questions. Thank you very much Vicky.
So you're getting, wow, you're getting a bit of an insight to another whole area here, which is this standardization area and all of the, the new work that has to go on there to make this work. So if anyone was doubting the scale of this, then doubt no more, right? We had a few hands up.
Who, who's first? You've had like, you've had two or three. There's a gentleman back here. I was actually looking for the very me folks, but then I saw all these t-shirts in there. They're all here. So it's all Thank you. Could you say who you are by the way, before you? My name is Nils, I'm from a Danish e i d broker. My question is about phishing and user interface and all that are, because one of my concerns is that we spend so much time talking about ATC standards, hsm, FIPs, whatever, that we forget that the real action is in fishing.
That's where we see most attacks, at least in my part of the world, that, you know, there are no attacks on central infrastructure. The Swedes had a huge one recently, but they don't succeed. Where they do succeed is attacking the flow, the user experience because it's fishable. Will we see more stuff on this or will it still be up through the implementers?
You know, they have all the hardware security modules, but they're fishable or will that change? Yeah, great question.
Sorry, sorry, I I Yeah, just repeat. So how, how will phishing attacks be handled, you know, for, for people trying to break into your phone or send you Well, I think there are different levels of implementation from coming from different actors within this ecosystem.
Depending, we are talking about provisioning trust service. We are talking about relying on the wallet to deliver, to deliver information to the relying parties. Each actor or we are talking about the wallet provider. So each member of this ecosystem is governed by specific rules and also security requirements that are assessed by qualified accreditation, conformity, AC assessment bodies.
It,
It's gonna be interesting to see how the, oh, some, some more context. Excellent. So
I'm
But by using a mobile phone and to show in the mobile phone in the trusted app what he's doing, phishing can be considerably reduced against previous types of authentication mechanisms. Thank you. We have a question at the back. We could do that for ages, especially the user interface piece, which is the key.
Yeah, I have one question. We are providing a wallet and we would like to be somehow certified or whatever conformity assist.
My, my key question is always what is the roadmap for having the sort of the approval part for a wallet provider? Because wallet provider is not considered as a trust service provider in the con in the way today bec, but the wallet provider is of course, one sort of is delivering the authentication of the user. That is one of the crucial part of the entire security and privacy stuff. So it needs to be somehow certified. There needs to be a roadmap for getting that certification. Have you any idea how that roadmap looks like and what kind of certification?
I'm expecting as a VO service provider, We don't have a very clear roadmap for, for that part. Of course it's depending on the final form of the regulation, who is allowed to provide wallet. My understanding is that a member states will provide wallet or a company under the mandate of member state and of course is Anza is working. The European cybersecurity agency is working on preparing some documentation and reports and guidelines regarding the certification for cybersecurity. Aspects of the wallet we should take into consideration also needs to directive.
That is, that has entered into force and should be transposed by each member stating its national legislation. So that will have another impact on the very good, on the certification for, for the wallet from member states to another. Because I, I think it's a really good point though, isn't it? This Is the difference between our regulation and the directive. The regulation applies as is day one. The directive I know should be transposed within member states by each member states with a timeline of two years, let's say thank, so it's a bit complex.
The certification, the cybersecurity certification for the, for the wallet. Alright, so let's say thank you to Vicky for that round of applause and we'll.
